How to Configure VXLAN on Fortigate
Hello everyone, in this video I will show how can you extend VLANs over IP. In FortiGate by using vxlan you can do this.
You can see my topology in this picture. I have 2 firewall that connects to each other, this connection can be through a layer 2 switch, layer 3 routers, or IPSec tunnels, no matter which connection type you are using because by using VXLAN technology your ethernet frames encapsulate and send to another side via IP packets and then decapsulate.
I have 2 trunk ports (port number 2 on both firewalls) that connect to layer 2 switches and carry VLAN 3500 and 3600 traffic.
you can see the IP numbers in this picture, I use 10.10.10.141 and 10.10.10.142 to manage firewalls, and also our vxlan tunnel will bring up over these IPs.
Ok, let’s start the configuration
Start configuration on 10.10.10.141, at the first we have to create vxlan interface, you cannot do from GUI , so open the console
Write config system vxlan
Edit vxlan3500, you can use any name for your interface name
Set nvi 3500, this command Is used to tell this tunnel caries which VLAN
Set por …… , sorry set interface port1, that means initiate my vxlan tunnel from this interface, it can be physical or IPSec tunnel
Set remote-ip 10.10.10.142, this command sets the tunnel destination IP address, another means, other points of our vxlan tunnel.
Ok, end
As you can see on the interfaces under port1 I can see vxlan3500 interface and the type is vxlan
Let’s create VLAN on port2 to carry our VLAN 3500 traffic to the layer 2 switch as I have already shown on the topology
Give the name, set the interface, enter 3500 as VLAN id, and click ok
As you can see I have a VLAN interface and vxlan interface and both of them are set to VLAN 3500 , now I need to create a software switch and assign these interface to it
Select software switch
Gives a name
Select VLAN and vxlan as member
Give an IP to this interface, you can skip that but at this time I give an IP address to test my vxlan configuration
Ok, our software switch on this firewall was created and it has an IP address, now I have to config another firewall
Create vxlan on this firewall
Edit vxlan 3500 ,
Huummm, what is the problem? oh I put the space in the name
Names can be different on the firewalls but I use the same name on both end
Set vni
Set interface
Then set the remote IP that points to another end of my tunnel, its reverses from the first firewall
Ok, vxlan interface created,
Now create a VLAN on port 2
Set the VLAN id
That is ok,
Same as the earlier configuration I create a software switch and assign IP address to it
The name can be different, but I use the same name on both ends
Set the members
Give the IP address,
As you can in this topology this side IP address is 192.192.35.142
Ok,
As you can see software switch created,
Now I am going to text my vxlan tunnel,
Execute ping 192.192.35.141 , as you can see this IP is located on another side of our tunnel
Ok, our tunnel configuration is correct and we can ping IP from VLAN 3500 from another side of our tunnel.
With this diagnostic command, you can see the mac addresses that are learned from another end of the tunnel for specific vxlan interface
diagnose sys vxlan fdb list vxlan3500
As you can see this mac address is our port2 interface on another end of the tunnel
I copy this command to execute on another firewall to see the result
Now create another vxlan interface to carry VLAN 3600 traffic
Set nvi 3600
Configuration is the same as vxlan 3500 but vni is different,
Vxlan 3600 created,
Now create a VLAN 3600 interface on port 2
Set VLAN id to 3600
Ok
Again create another software switch and assign vxlan 3600 and VLAN 3600 interface as a member to it
Give a name
Select members,
Give an IP address,
As you can see in the topology this VLAN subnet is 192.192.36
Ok
Software switch created
As you can see without config vxlan on both firewalls I can not ping VLAN 3600 IP address
Create vxlan 3600 on this firewall
Set vni
Set remote IP to another side of the tunnel
End
Try to ping,
its failed because I don’t create a software switch and assign vxlan and VLAN as members
Create VLAN 3600
set VLAN id
ok
now create a software switch
assign vxlan and VLAN 3600 to it
give an IP address based on our topology
ok I have 2 software switches now and vxlan and VLAN interfaces assigned to them
now test IP address from VLAN 3600
that is it
also, you can see the mac addresses learned on this VLAN from another end of the tunnel
by using this method you can extend your layer 2 networks between the different locations over the wan links, its used for any purpose, that’s depend on you,
for each VLAN you have to create a different vxlan interface and software switch.
I hope you enjoy this video, if you have any questions you can ask them in the comments, don’t forget to subscribe to my channel and watch other videos, have a good day.